NYT: China hacked us for four months

posted at 8:31 am on January 31, 2013 by Ed Morrissey

Hackers in China spent four months sneaking up on its cybertarget, exploiting American universities to mask their approach, all to penetrate … the New York Times? That’s what the Gray Lady reports today, although claiming that nothing of importance was stolen. The hunters became the prey soon enough, Nicole Perlroth writes:

For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.

After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

The timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

According to the article, the hackers installed malware that eventually found its way onto every computer on the NYT network. They collected all of the passwords in order to access files stored outside of the network servers. The hackers spent four months rifling through the Paper of Record’s records. And the only thing that interested them was the sources for their reporting on Wen?

That sounds a little odd, although it’s plausible. Authoritarian regimes tend to overreact to criticism and do strange things; certainly, Joseph Stalin and Saddam Hussein exemplified the extreme end of that behavior, and they’re hardly alone in it. But this had to have taken a lot of resources and risked exposing cyberwarfare strategies that China might have preferred to keep under wraps for somewhat more lucrative targets.

According to the Times, they didn’t even bother going after financial records of customers or staff:

Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times’s newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.

No customer data was stolen from The Times, security experts said.

For its part, China calls the accusation “unprofessional and baseless.” If this report is true, it sounds as though China conducted a rather unprofessional bit of cyberwarfare for baseless value.

I have a linux bastion server at home, and, for several years, the Chinese (or someone/someones using IP blocks from China) have been persistently trying to guess my ssh logins and access my squid cache server.

Whenever I pinged them, they’d stop.

About a week ago, they stopped using China based IP addresses and instead began using a machine they’ve taken over on the same local subnet (from my ISP’s side) that my server is on to do the same things they’ve been doing directly — as a bent pipe.

So now, on the WAN side of my bastion, I was seeing 192.168.x.x addresses show up.

After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

There are a whole lot of typing errors in the title. “Us” should be capitalized because it’s an abbreviated country name, “months” should read as “years”, and the the first two letters in the word “hacked” are also wrong.

You may want to look at things a little closer.
You said WAN side, and then referenced IP address 192.168.x.x
That is a private block of IPs, and therefore is not routable over the internet…..so if you are seeing that IP address pop up, then it is most likely internal to your network.
Any of block of IPs are not routable over the internet.
10.x.x.x -> Class A private
172.16.x.x -> Class B Private
192.168.x.x -> Class C private.

I am a network admin for a small company we see a bunch of IPs from China.

As good world citizens, I’m sure Times managers realize that all the NYT records belong to all, as led by the party, and erecting barriers to entry is a counter-revolutionary act. Next thing to happen will be fines against the NYT from the Justice Department, followed by self-criticism and, eventually, banishment to farm cadres for re-education.

Probably not. I’m a long shot from this field but I recognize those who are by what they say and write, and the one who wrote this wouldn’t be able to:

After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in.

My first reaction to the NYT’s story is that the Wen excuse is a cover. Their real intent is to alert all of their reporters’ confidential sources that they may have been compromised.

The NYT developed a pretty good (as in despicable, near traitorous from our perspective) network of government sources during the Bush years; remember all the classified tidbits and operations that were blown? Picture this scenario:

The scene opens on a Washington DC Starbucks where a mid-level State Department bureaucrat, female, married with two kids, is having a vanilla latte when she’s approached by an Asian American who blends in with all the other customers. He’s actually an “illegal” with the PRC’s Ministry of State Security. In perfect unaccented English he says to her, “We know you’ve talked to the New York Times. How about talking to us, or would your husband and children prefer we talk to your boss?”

From an operational concept, hacking a left-wing, generally anti-American domestic newspaper is a wonderful way of finding intelligence sources to exploit.

From an operational concept, hacking a left-wing, generally anti-American domestic newspaper is a wonderful way of finding intelligence sources to exploit.

allanbourdius on January 31, 2013 at 10:14 AM

I think you have nailed it. That would be a treasure trove of compromised sources that would be easy to exploit. After all, they betrayed their confidence to one group of marxists, getting them to betray more, for money, to a different group of marxists would be an easy next step, especially when leverage through blackmail is applied.

/let’s face it, that’s about the only thing of value that NYT has, it certainly has no trade secrets for producing a popular, widely read, non-partisan newspaper.

I spoke correctly. Remember, the ISP itself has placed my computer on a subnet. The 192.168.x.x addresses are coming from my WAN side adapter. That implies another computer on the ISP’s subnet has been compromised. It’s the same MAC address every time, and that address matches nothing I know about. I’m not stupid — I am NOT running both wan and lan out the same adapter.

My bastion server IS my router. The outward facing NIC has absolutely NO Chinese produced parts in it — it’s an old “Made in USA” 100Mb/S card, so I know they will find it very difficult to activate any hidden microcode. Given that my throughput maxes out at 24Mb/s, I think I have a few years before I have to think about replacing the card.

I have IPTABLES blocking all of the private class addresses and logging them to prevent injection. That’s how I know the attack patterns. Also, squid is only accessible from 127.x.x.x addresses and firewalled off by IPTABLES (with logging) from my outbound adapter so they certainly are NOT going to get to its port unless they penetrate the box. Finally, ssh is rate-limited (again by IPTABLES) so they are allowed three logged tries per hour — good luck finding out any password of interest. Of course, they are trying “root” with each attempt, but my ssh is configured to not allow root logins. The Russians used to try random passwords and random userids from a dictionary, but they haven’t tried this stuff in years — I guess they found that Windows boxes were far more hospitable…

Oh, and the IPTABLES default policy is DROP — so I’m sure that’s annoying them by increasing their use of socket descriptor resources on each asset they deploy.

And if they should get past all of that, I’ve got a containerized SELINUX security policy waiting for them, and a set of IPTABLES rules on the INSIDE adapters (including the 127 address group) designed to keep my kids from doing things with their gaming boxes that I don’t know about.

These are the interesting documents for those of you who want to duplicate this kind of behavior. Sadly, the only version of the NSA document is for RHEL5:

Probably not. I’m a long shot from this field but I recognize those who are by what they say and write, and the one who wrote this wouldn’t be able to:

Dusty on January 31, 2013 at 10:08 AM

Not knowing the particulars, you may be right. But if I were the NYT administrators, and I detected an intrusion which had succeeded on one computer, I’d have the pros imbed that computer into a virtual honeypot farm with all sorts of “goodies” to induce further intrusion attempts and to determine what other weapons the assailants might have in their quivers.

I don’t think the NYT is stupid — they certainly would not let the Chinese run rampant over their network while they watched. I know that’s what they claimed they did, but I think they are shading the truth quite a bit to hide their technical resources.

Of course, if I were a Chinese source, I’d believe as you do — take the NYT at face value — and never talk directly to them. But I’m also willing to bet that the NYT interviewed few Chinese– rather, they used internet information they gleaned from inside the great firewall to write their articles. The Chinese may have been looking for internal IPs so they can improve the great firewall and censor their ISPs more carefully.